[AZ-263] Bootstrap: repo skeleton + Docker + CI + Alembic + Tier-1 tests

Implements the AZ-263 / E-BOOT initial structure task:

- Python src/-layout package `gps_denied_onboard/` with per-component
  interface stubs (14 components), type-only DTOs under `_types/`,
  shared helpers under `helpers/` (R14 LightGlue ownership), structured
  JSON logging, runtime composition root with env-var fail-fast gate,
  healthcheck module shared by Docker and CI smoke.
- CMake top-level + `cmake/{build_options,dependencies,strategies}.cmake`
  with the BUILD_* per-binary flags (ADR-002) and pinned external git
  refs for OKVIS2 / VINS-Mono / GTSAM / FAISS / OpenCV >=4.12.0.
- Three Dockerfiles (companion-tier1, operator-tooling,
  mock-suite-sat-service) + two compose files (dev + Tier-1 test).
- Four GitHub Actions workflows: ci.yml (lint/unit/integration/dual
  binary build/SBOM diff/security), ci-tier2.yml (self-hosted Jetson
  AC-bound NFTs), release.yml, cve-rescan.yml.
- Two CI gate scripts: `ci/sbom_diff.py` (deployment SBOM subset +
  R02 exclusion), `ci/opencv_pin_gate.py` (>=4.12.0 enforcement,
  D-CROSS-CVE-1).
- Alembic-driven Postgres 16 initial migration `0001_initial.py`
  mirroring satellite-provider tiles + flights + sector_classifications
  + manifests + engine_cache_entries (data_model.md s 2).
- Tier-1 test scaffolding: 95 passing unit tests covering every AC,
  per-component smoke tests, structured logging JSON output check,
  env-var gate check, healthcheck import check. Two CI-gated tests
  (cmake configure, actionlint) skip locally with explicit reasons.
- Batch report + code review report under `_docs/03_implementation/`.

Verdict: PASS_WITH_WARNINGS (two Low findings, both informational).
Co-authored-by: Cursor <cursoragent@cursor.com>

tests/unit/test_ac10_ci_gates.py

@@ -0,0 +1,124 @@
+"""AC-10: SBOM diff script + OpenCV pin gate exist and run on stub builds."""
+
+from __future__ import annotations
+
+import json
+import subprocess
+import sys
+from pathlib import Path
+
+REPO_ROOT = Path(__file__).resolve().parents[2]
+CI_DIR = REPO_ROOT / "ci"
+
+
+def test_sbom_diff_pass_on_subset(tmp_path: Path) -> None:
+    # Arrange
+    research = tmp_path / "research_sbom.json"
+    deployment = tmp_path / "deployment_sbom.json"
+    research.write_text(
+        json.dumps(
+            [
+                {"name": "numpy", "version": "1.26.4"},
+                {"name": "scipy", "version": "1.11.3"},
+                {"name": "okvis2", "version": "0.1.0"},
+            ]
+        )
+    )
+    deployment.write_text(
+        json.dumps(
+            [
+                {"name": "numpy", "version": "1.26.4"},
+                {"name": "okvis2", "version": "0.1.0"},
+            ]
+        )
+    )
+
+    # Act
+    result = subprocess.run(
+        [
+            sys.executable,
+            str(CI_DIR / "sbom_diff.py"),
+            "--deployment",
+            str(deployment),
+            "--research",
+            str(research),
+        ],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+
+    # Assert
+    assert result.returncode == 0, f"sbom_diff stderr:\n{result.stderr}"
+
+
+def test_sbom_diff_fails_on_forbidden_component(tmp_path: Path) -> None:
+    # Arrange — ADR-002 / R02: vins_mono must not appear in deployment SBOM
+    research = tmp_path / "research_sbom.json"
+    deployment = tmp_path / "deployment_sbom.json"
+    research.write_text(json.dumps([{"name": "vins_mono", "version": "0.1"}]))
+    deployment.write_text(json.dumps([{"name": "vins_mono", "version": "0.1"}]))
+
+    # Act
+    result = subprocess.run(
+        [
+            sys.executable,
+            str(CI_DIR / "sbom_diff.py"),
+            "--deployment",
+            str(deployment),
+            "--research",
+            str(research),
+        ],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+
+    # Assert
+    assert result.returncode != 0, (
+        "sbom_diff must fail when a research-only component appears in deployment"
+    )
+
+
+def test_opencv_pin_gate_passes_on_412_minimum() -> None:
+    # Act
+    result = subprocess.run(
+        [
+            sys.executable,
+            str(CI_DIR / "opencv_pin_gate.py"),
+            "--pyproject",
+            str(REPO_ROOT / "pyproject.toml"),
+        ],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+
+    # Assert
+    assert result.returncode == 0, f"opencv_pin_gate stderr:\n{result.stderr}"
+
+
+def test_opencv_pin_gate_fails_on_lower_version(tmp_path: Path) -> None:
+    # Arrange
+    bad_pyproject = tmp_path / "pyproject.toml"
+    bad_pyproject.write_text(
+        '[project]\nname = "x"\nversion = "0.1"\ndependencies = ["opencv-python>=4.10,<5"]\n'
+    )
+
+    # Act
+    result = subprocess.run(
+        [
+            sys.executable,
+            str(CI_DIR / "opencv_pin_gate.py"),
+            "--pyproject",
+            str(bad_pyproject),
+        ],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+
+    # Assert
+    assert result.returncode != 0, (
+        "opencv_pin_gate must reject `opencv-python>=4.10` (D-CROSS-CVE-1 ≥ 4.12.0)"
+    )